From c56c86d57b618fda48ba5fb30c070e8eba335ea7 Mon Sep 17 00:00:00 2001 From: The_miro Date: Wed, 20 May 2026 13:13:53 +0200 Subject: [PATCH] fix(freeipa): harden container SMB setup and fetch-alerts script ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the setup service always runs at boot, not only when smb.service pulls it in docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE and nmb.service being enabled ansipa-smb-setup.sh: - use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so passwords with spaces or shell-special chars are correctly quoted - always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard) since /etc/cron.d is on the ephemeral container layer and is lost on container recreation; the service runs on every start anyway Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log to avoid set -e ambiguity with the 'false' builtin Co-Authored-By: Claude Sonnet 4.6 --- .../FreeipaAnsible/ansible/ansipa-fetch-alerts.sh | 2 +- setup/modules/FreeipaAnsible/image/Dockerfile | 3 ++- .../FreeipaAnsible/image/ansipa-smb-setup.sh | 13 +++++++------ .../modules/FreeipaAnsible/image/ansipa-smb.service | 4 +++- .../modules/FreeipaAnsible/image/docker-compose.yml | 2 ++ 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/setup/modules/FreeipaAnsible/ansible/ansipa-fetch-alerts.sh b/setup/modules/FreeipaAnsible/ansible/ansipa-fetch-alerts.sh index 77c7dc1..a793b4a 100644 --- a/setup/modules/FreeipaAnsible/ansible/ansipa-fetch-alerts.sh +++ b/setup/modules/FreeipaAnsible/ansible/ansipa-fetch-alerts.sh @@ -122,7 +122,7 @@ for ALERT_NAME in "${SERVER_ALERTS[@]}"; do echo "$ALERT_NAME" >> "$FETCHED_STATE" fi - $NEW && log "New alert delivered: $ALERT_NAME" + [[ "$NEW" == true ]] && log "New alert delivered: $ALERT_NAME" done log "Done. ${#SERVER_ALERTS[@]} server alert(s) for $HOSTNAME." diff --git a/setup/modules/FreeipaAnsible/image/Dockerfile b/setup/modules/FreeipaAnsible/image/Dockerfile index cfd8571..6962f3d 100644 --- a/setup/modules/FreeipaAnsible/image/Dockerfile +++ b/setup/modules/FreeipaAnsible/image/Dockerfile @@ -12,7 +12,8 @@ # -e IPA_DOMAIN=example.com \ # -e IPA_ADMIN_PASSWORD=Secret123 \ # -e IPA_DM_PASSWORD=Secret456 \ -# -p 443:443 -p 389:389 -p 636:636 -p 88:88 \ +# -e SMB_SCAN_PASSWORD=Secret789 \ +# -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 445:445 \ # freeipa-server # # For production use docker-compose.yml instead. diff --git a/setup/modules/FreeipaAnsible/image/ansipa-smb-setup.sh b/setup/modules/FreeipaAnsible/image/ansipa-smb-setup.sh index b2665d8..e6cf33e 100644 --- a/setup/modules/FreeipaAnsible/image/ansipa-smb-setup.sh +++ b/setup/modules/FreeipaAnsible/image/ansipa-smb-setup.sh @@ -31,8 +31,9 @@ fi [[ -z "$SMB_PASS" ]] && die "SMB_SCAN_PASSWORD not set and $ENV_FILE not present. Set it in .env." # ── Persist for subsequent restarts ────────────────────────────────────────── +# %q shell-quotes the value so passwords with spaces or special chars are safe. mkdir -p "$(dirname "$ENV_FILE")" -printf 'SMB_SCAN_PASSWORD=%s\n' "$SMB_PASS" > "$ENV_FILE" +printf 'SMB_SCAN_PASSWORD=%q\n' "$SMB_PASS" > "$ENV_FILE" chmod 600 "$ENV_FILE" # ── Directory structure (idempotent) ────────────────────────────────────────── @@ -81,13 +82,13 @@ printf '%s\n%s\n' "$SMB_PASS" "$SMB_PASS" | smbpasswd -s "$SMB_USER" 2>/dev/n log "WARN: smbpasswd returned non-zero (user may already exist with correct password)" # ── Server-side scan checker cron (hourly, analysed on the IPA server itself) ─ -if [[ ! -f /etc/cron.d/ansipa-check-scans ]]; then - cat > /etc/cron.d/ansipa-check-scans <<'CRON' +# Always (re-)write: /etc/cron.d is on the ephemeral container layer and is +# lost on container recreation, so we must restore it on every start. +cat > /etc/cron.d/ansipa-check-scans <<'CRON' # ansipa: analyze client scan logs and write alerts — managed, do not edit. 0 * * * * root /usr/local/sbin/ansipa-check-scans.sh 2>&1 | logger -t ansipa-check-scans CRON - chmod 644 /etc/cron.d/ansipa-check-scans - log "Installed hourly scan-checker cron" -fi +chmod 644 /etc/cron.d/ansipa-check-scans +log "Installed hourly scan-checker cron" log "Samba setup complete. Share: //localhost/ansipa-scans user: $SMB_USER" diff --git a/setup/modules/FreeipaAnsible/image/ansipa-smb.service b/setup/modules/FreeipaAnsible/image/ansipa-smb.service index 5b7b2f1..8accb43 100644 --- a/setup/modules/FreeipaAnsible/image/ansipa-smb.service +++ b/setup/modules/FreeipaAnsible/image/ansipa-smb.service @@ -15,4 +15,6 @@ StandardOutput=journal StandardError=journal [Install] -WantedBy=smb.service +# multi-user.target ensures this runs on every container start. +# Before=smb.service guarantees smb.conf and the Samba user exist before smbd starts. +WantedBy=multi-user.target diff --git a/setup/modules/FreeipaAnsible/image/docker-compose.yml b/setup/modules/FreeipaAnsible/image/docker-compose.yml index 848d266..71b472f 100644 --- a/setup/modules/FreeipaAnsible/image/docker-compose.yml +++ b/setup/modules/FreeipaAnsible/image/docker-compose.yml @@ -59,6 +59,8 @@ services: - "443:443" - "445:445" - "139:139" + - "137:137/udp" + - "138:138/udp" networks: ipa-net: ipv4_address: 172.30.0.10